https://www.djangoproject.com/weblog/2018/mar/06/security-releases/

[debian-lts-announce] 20180308 [SECURITY] [DLA 1303-1] python-django security update

103361

USN-3591-1

DSA-4161

RHSA-2018:2927

RHSA-2019:0082

RHSA-2019:0051

RHSA-2019:0265

Updated packages are now available for Red Hat Gluster Storage 3.4 Web Administration Batch Update 3 on Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat Gluster Storage Web Administration includes a fully automated setup based on Ansible and provides deep metrics and insights into active Gluster storage pools by using the Grafana platform. Red Hat Gluster Storage WebAdministration provides a dashboard view which allows an administrator to get a view of overall gluster health in terms of hosts, volumes, bricks, and other components of GlusterFS.

Security Fix(es) :

* django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc' (CVE-2018-7536)

* django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html' (CVE-2018-7537)

* django: Open redirect possibility in CommonMiddleware (CVE-2018-14574)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank the Django project for reporting CVE-2018-7536 and CVE-2018-7537.

Users of Red Hat Gluster Storage Web Administration with Red Hat Gluster Storage are advised to upgrade to this updated package to fix these issues.

update to 2.0.3, fix CVE-2018-7536 (rhbz#1552178)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to 1.11.11 security release (CVE-2018-7536 CVE-2018-7537)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update is now available for Red Hat Satellite 6.4 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool.

Security Fix(es) :

* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)

* hornetq: XXE/SSRF in XPath selector (CVE-2015-3208)

* bouncycastle: Information disclosure in GCMBlockCipher (CVE-2015-6644)

* bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338)

* bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339)

* bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341)

* bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342)

* bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344)

* bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345)

* bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346)

* bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352)

* logback: Serialization vulnerability in SocketServer and ServerSocketReceiver (CVE-2017-5929)

* python-django: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (CVE-2017-7233)

* hibernate-validator: Privilege escalation when running under the security manager (CVE-2017-7536)

* puppet: Environment leakage in puppet-agent (CVE-2017-10690)

* Satellite 6: XSS in discovery rule filter autocomplete functionality (CVE-2017-12175)

* foreman: Stored XSS in fact name or value (CVE-2017-15100)

* pulp: sensitive credentials revealed through the API (CVE-2018-1090)

* foreman: SQL injection due to improper handling of the widget id parameter (CVE-2018-1096)

* foreman: Ovirt admin password exposed by foreman API (CVE-2018-1097)

* django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc' (CVE-2018-7536)

* django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html' (CVE-2018-7537)

* guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237)

* bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340)

* bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343)

* puppet: Unpacking of tarballs in tar/mini.rb can create files with insecure permissions (CVE-2017-10689)

* bouncycastle: BKS-V1 keystore files vulnerable to trivial hash collisions (CVE-2018-5382)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; and the Django project for reporting CVE-2017-7233, CVE-2018-7536, and CVE-2018-7537. The CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat); and the CVE-2018-1096 issue was discovered by Martin Povolny (Red Hat). Red Hat would also like to thank David Jorm (IIX Product Security) for reporting CVE-2015-3208.

Additional Changes :

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes document linked to in the References section.

James Davis discovered two issues in Django, a high-level Python web development framework, that can lead to a denial-of-service attack. An attacker with control on the input of the django.utils.html.urlize() function or django.utils.text.Truncator's chars() and words() methods could craft a string that might stuck the execution of the application.

This update for python3-Django to version 1.18.18 fixes multiple issues. Security issues fixed :

  - CVE-2018-7537: Fixed catastrophic backtracking in     django.utils.text.Truncator. (bsc#1083305)

  - CVE-2018-7536: Fixed catastrophic backtracking in urlize     and urlizetrunc template filters (bsc#1083304).

  - CVE-2016-7401: CSRF protection bypass on a site with     Google Analytics (bsc#1001374).

  - CVE-2016-2513: User enumeration through timing     difference on password hasher work factor upgrade     (bsc#968000).

  - CVE-2016-2512: Fixed malicious redirect and possible XSS     attack via user-supplied redirect URLs containing basic     auth (bsc#967999).

  - CVE-2016-9013: User with hardcoded password created when     running tests on Oracle (bsc#1008050).

  - CVE-2016-9014: DNS rebinding vulnerability when     DEBUG=True (bsc#1008047).

  - CVE-2017-7234: Open redirect vulnerability in     django.views.static.serve() (bsc#1031451).

  - CVE-2017-7233: Open redirect and possible XSS attack via     user-supplied numeric redirect URLs (bsc#1031450).

  - CVE-2017-12794: Fixed XSS possibility in traceback     section of technical 500 debug page (bsc#1056284)

This update for python-Django to version 1.18.18 fixes multiple issues. Security issues fixed :

  - CVE-2018-7537: Fixed catastrophic backtracking in     django.utils.text.Truncator. (bsc#1083305)

  - CVE-2018-7536: Fixed catastrophic backtracking in urlize     and urlizetrunc template filters (bsc#1083304).

  - CVE-2016-7401: CSRF protection bypass on a site with     Google Analytics (bsc#1001374).

  - CVE-2016-2513: User enumeration through timing     difference on password hasher work factor upgrade     (bsc#968000).

  - CVE-2016-2512: Fixed malicious redirect and possible XSS     attack via user-supplied redirect URLs containing basic     auth (bsc#967999).

  - CVE-2016-9013: User with hardcoded password created when     running tests on Oracle (bsc#1008050).

  - CVE-2016-9014: DNS rebinding vulnerability when     DEBUG=True (bsc#1008047).

  - CVE-2017-7234: Open redirect vulnerability in     django.views.static.serve() (bsc#1031451).

  - CVE-2017-7233: Open redirect and possible XSS attack via     user-supplied numeric redirect URLs (bsc#1031450).

  - CVE-2017-12794: Fixed XSS possibility in traceback     section of technical 500 debug page (bsc#1056284)

update to 1.11.11, fix CVE-2018-7536, CVE-2018-7537

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several functions were extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in several regular expressions.

CVE-2018-7536

The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions. The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.

The problematic regular expressions are replaced with parsing logic that behaves similarly.

CVE-2018-7537

If django.utils.text.Truncator&rsquo;s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

The backtracking problem in the regular expression is fixed.

For Debian 7 'Wheezy', these problems have been fixed in version 1.4.22-1+deb7u4.

We recommend that you upgrade your python-django packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

James Davis discovered that Django incorrectly handled certain template filters. A remote attacker could possibly use this issue to cause Django to consume resources, resulting in a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
121606	RHEL 7 : Storage Server (RHSA-2019:0265)	Nessus	Red Hat Local Security Checks	medium
120798	Fedora 28 : python-django (2018-cce0e0bd04)	Nessus	Fedora Local Security Checks	medium
120357	Fedora 28 : python2-django1.11 (2018-39cc0bc342)	Nessus	Fedora Local Security Checks	medium
118185	RHEL 7 : Satellite Server (RHSA-2018:2927)	Nessus	Red Hat Local Security Checks	critical
108773	Debian DSA-4161-1 : python-django - security update	Nessus	Debian Local Security Checks	medium
108641	openSUSE Security Update : python3-Django (openSUSE-2018-318)	Nessus	SuSE Local Security Checks	critical
108640	openSUSE Security Update : python-Django (openSUSE-2018-317)	Nessus	SuSE Local Security Checks	critical
108390	Fedora 27 : python-django (2018-bd1147f152)	Nessus	Fedora Local Security Checks	medium
107242	Debian DLA-1303-1 : python-django security update	Nessus	Debian Local Security Checks	medium
107194	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : python-django vulnerabilities (USN-3591-1)	Nessus	Ubuntu Local Security Checks	medium

CVE-2018-7536

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins

medium

medium

medium

critical

medium

critical

critical

medium

medium

medium